Parents and Guardians themselves sometimes fail to recognize some of the dangers, so it is imperative that they acknowledge the importance of staying informed and up to date. The worst thing you can do is to think that it only happens to others. Prepared Parents and Guardians will better prepare their children and dependents for a future that, in all likelihood, will be increasingly technological, regardless of their interests, wishes, and professions.

Applying all the security recommendations can be an extensive and complex task, but don’t be alarmed. Start somewhere. Cybersecurity should be understood as something continuous and not a one-off action at a particular moment in time. So, don’t try to apply all the recommendations at once; instead, make this article (and others on this blog) a reference that you return to from time to time in order to improve your online posture.

Start by Raising Awareness in Your Children

Recognize that the human factor is the weakest one, as demonstrated by the various companies that invest thousands or millions of Euros in cybersecurity and end up suffering an attack because of a human failure. There is little point in following all the best practices if someone then provides data or carries out actions that compromise everything.

Don’t share personal data

It is important to start raising your children’s awareness from an early age not to share personal data - such as their full name, phone number, address, among others - without your assessment and authorization. Since you don’t know who is on the other side, sharing personal data should only be done when the situation justifies it and the adult understands and accepts the purpose of that collection.

You should also consider whether the child’s accounts will be created using their first and last name in the username, or whether they will aim to remain completely anonymous.

Be cautious with strangers

From a very early age, children are taught not to talk to strangers in the physical world. In the virtual world, they should also be cautious. The truth is that they don’t know who is on the other side, and the data and profile picture - or even the photographs or videos the other person sends - are not always genuinely of that person.

Adults can pose as children; boys can pose as girls and vice versa; men can pose as women and vice versa; people with bad intentions can pose as people with good intentions; and so on.

Over roughly 20 years I have collected several striking stories, some involving people I know personally, which are examples of the dangers that young people can face.

I’m sharing two situations with you just as examples, but I could tell you about many more cases.

“The Sausage”

A boy thought he was developing a friendship - or perhaps something more - with a supposed girl he was talking to in an Internet chat. He gained confidence to the point of sharing some rather intimate photographs of himself. The next day, those photographs were all over the school he attended. In other words, the person on the other side was, in fact, a boy or a group of boys posing as a girl.

They managed not only to win the boy’s complete trust but also to get him to share something ridiculous. The boy became known as “The Sausage” because the situation involved a sausage. He had to leave the school, and the incident is still a topic of conversation today among the former students of that school. Who knows what other impacts it had on the young man and his family.

The fight against pedophilia

Without wanting to be dramatic - and I know these cases are more extreme, but it is important that we are all aware that they exist - I’m sharing with Parents and Guardians the work of one of the best (ethical) hackers in the world, Ryan Montgomery, who, together with his friend Dustin Lampros, an MMA fighter, has been exposing several cases of pedophiles who, from the Internet, try to arrange meetings with children, most of them around 13 years old.

The hacker began by reporting several situations that prompted no action from the authorities. So he decided to team up with his fighter friend and, under the name 561 Predator Catchers, to pose as the victims, accepting the meetings proposed by the pedophiles, but with the two of them showing up publicly instead of the child the pedophile expected to find.

With the evidence, and face to face, they force the pedophiles to admit their intentions, ultimately also making them call their spouses to confess their actions, and then reporting them to the authorities.

Share events with Parents and Guardians

It is also essential that the dialogue between Parents and their children, or between Guardians and their dependents, be open, and that a safe space be created for children and adolescents to share with their Parents and Guardians what is happening in the virtual world.

Whether it’s something they’re asked, shown, or sent - or, above all, a meeting that someone wants to arrange - this should always be known to the family. But for that, Parents and Guardians must create the conditions for their children and dependents to feel comfortable doing so. We may be moving into an area that belongs more to psychology than to technology, but the key takeaway is that if you want your children and dependents to share these situations with you on an ongoing basis (and not just at a given moment), it is essential that your reaction allows for it, so that they don’t feel afraid or intimidated. Stay calm, take a deep breath. Make sure you resolve that specific situation, but that you also create the conditions for that channel of sharing to be maintained.

Protect Your Home Network

This is the point most neglected by people, perhaps because it is technically the most complex, but the goal is simple to understand: it is perhaps on your home network that most of the Internet traffic received and sent by the devices your children use passes through. As much as the devices themselves may be protected, if the network is not, you have a huge security hole.

In addition to the tips below, you can consult here the recommendations of the United States National Security Agency (NSA) on this matter.

And if you don’t feel comfortable with this topic, skip to the next one and come back here later.

Get a firewall

I think few people are aware of this, but the routers that telecom operators install in our homes are not exactly secure. And complaining to your telecom operator probably won’t get you very far. Those are the models they have available, and they won’t pay much attention to your cause.

What you should do, however, is make sure that device is updated from time to time. For example, when you renew your contract, you should demand the replacement of the device. In other words, we’re not just talking about updating the firmware, but the equipment itself. Given the relatively short cycles of technological updates we experience, the equipment will probably be obsolete by the time the contract is renewed.

This update is important for the performance of your network, but mainly for security reasons.

So, these devices are designed to provide you with Internet, cable television, and landline phone services, but they are not exactly designed to keep your network secure. With this in mind, I would not be exaggerating if I said that most homes worldwide end up being, to a certain extent, unprotected.

Unlike other measures that don’t require investment, this one requires purchasing equipment (or repurposing an old computer with two network cards). But it is an investment that turns out to be very worthwhile, in that it protects your entire home network (we’re talking about computers, tablets, smartphones, smart TVs, IoT, etc.) and will allow you something I consider essential, which is to have some visibility over your network.

In other words, it’s one thing to use our devices in our home without much awareness of what is going on across the network, and quite another to have a console with a dashboard showing all the information needed to understand whether the traffic is normal or whether there is something strange.

You will be able to tell whether the protocols being used are normal or not, to and from which countries the traffic is coming, and which services are being used, such as Google, Facebook, Instagram, Microsoft 365, etc. So if something suspicious appears, you can take immediate action.

You can, for example, block traffic to and from certain countries; that is, if you don’t want your network to communicate with systems in Russia or China, you can create that block (even though the block can easily be circumvented with a VPN), both for the traffic leaving your home and for the traffic coming in.

I’m talking about solutions such as pfSense, for more experienced users, or the Dream Machine from UniFi, for less experienced users who value a modern and simple interface, with the added benefit of integrated Wi-Fi.

Create separate networks

If you work from home, have you ever considered that when you connect your company devices to your home network, you are allowing your personal devices and your company devices to see each other, with all the risks that this can bring to you and to your company or the company you work for?

And that the devices your children use (who usually click on any link and open any attachment) are also on the same network segment as your devices, which you use to access your bank account, your email, and other personal documents and services of great importance to you?

Firewalls allow you to create separate networks for specific purposes. That is, you can create a network for your personal devices, another for the devices used by your children, another for IoT devices (assistants, video surveillance cameras, kitchen and vacuum robots, etc.), one just for guests, and, if you work from home, another for company devices.

Then you can even specify which networks pass through the router’s physical ports, if you want to connect devices via Ethernet cable, commonly known as a network cable.

The advantage of this configuration is that if something goes wrong with a device on a particular network, the likelihood of it affecting the devices on the other networks will be much lower, since the networks will be isolated - that is, the devices on one network cannot see the devices on the others.

Create separate Wi-Fi networks

In addition, you can create Wi-Fi SSIDs for each of these needs and associate them with the VLANs you created.

Use WPA3

Wi-Fi Protected Access 3 (WPA3) is the most recent standard for Wi-Fi networks, allowing the communication between each device and the Access Point (AP) to use stronger encryption, protection against attacks that under WPA2 made it possible to discover the SSID password, etc.

Add your devices to the white list

You probably remember from when you were younger that some people managed to figure out their neighbors’ Wi-Fi password and get free Internet that way. Nowadays most homes already have Internet, so this kind of access is no longer done for that purpose, but when it is done it has worse goals, such as spying or attacking.

With this in mind, adding your devices’ MAC Addresses to the white list and blocking all others gives you additional security.

Enable the Intrusion Detection System (IDS)

The Intrusion Detection System (IDS) feature makes it possible to detect intrusion attempts and notify the administrator, so that action can be taken. However, it does not make any change to or blocking of the traffic.

In other words, this means that if an attack is taking place, the IDS will not contain it. It will only inform you of it.

Enable the Intrusion Prevention System (IPS)

The Intrusion Prevention System (IPS) acts proactively in preventing attacks, seeking to keep them from reaching your internal network.

Create traffic rules

With traffic rules you can “be in charge” of your traffic; that is, you can create inbound and outbound rules that allow or block traffic, based on conditions such as applications or groups of applications (social networks, online games, etc.), domains, IPs, regions, etc., and you can even schedule the times at which the rule applies.

Use a VPN

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and the VPN server. This means that if someone captures the traffic, they will not be able to interpret it, because it will be encrypted. This gives you privacy, because neither your Internet Service Provider (ISP) nor other entities will be able to see your traffic.

When choosing a VPN, you should make sure it has a certified no-logs policy - that is, that no data about your traffic is stored - because otherwise you would be protecting yourself from some entities but giving information to the VPN provider.

VPN services like (affiliate links) Proton VPN, NordVPN, Bitdefender VPN are recognized as trustworthy.

VPNs are commonly installed on devices such as computers and smartphones, but installing them at the router level allows all the devices in your home to use the tunnel and therefore be better protected.

Receive notifications and monitor traffic

Enable notifications to your email or smartphone, and monitor your network from time to time, to ensure that everything is normal.

Protect Your Devices

Now that your home network is minimally protected, it’s time to protect your devices.

Don’t routinely use privileged accounts

On computer operating systems such as Windows, macOS, or Linux, it is possible to have administrator users and standard (non-administrator) users.

In your day-to-day use, you should use non-privileged - that is, non-administrator - accounts. The same goes for your children.

The reason for this is that privileged (administrator) users can perform any kind of task on the computer, such as installing software, changing advanced settings (including security settings), among others.

By using administrator accounts in your daily routine, you run a greater risk, because in the event of infection, since the user has administration privileges, the malware will be able to more easily install other malicious software or make changes to the computer that it could not make with a standard user.

In the case of children and adolescents, they will be able to do the same - sometimes installing software without your supervision, which can prove dangerous. They may also make changes or run programs that you don’t want to be run.

With this in mind, the whole family should have their own standard account, and only one or a few family members should have administrator accounts. This way, whenever a family member wants to install an application or change more advanced settings, they will have to request permission from the person who knows the administrator password.

But be careful: you should not share that user’s credentials with your children, because if you do, they will be able to authorize these tasks themselves without needing your consent.

Install antivirus on all devices

Another recommendation is to have antivirus on all the devices in your home - that is, not only on yours but also on those of the children/adolescents. This is because if adults fall for tricks (we’ve all heard news of people who were hacked because they clicked on a link or opened a malicious attachment), minors fall for them even faster, clicking and opening anything.

An antivirus recognizes malicious files based on their signature, and the more advanced ones include heuristics - that is, they have the ability to identify suspicious behavior. Some test files in a sandbox (i.e., in an isolated environment), thereby being able to tell whether they are malicious or not, even without knowing them beforehand.

For this reason, antivirus software is a great help in preventing the infection not only of that device but the spread to other devices on the same network.

An infection that starts on a child’s device can spread to the devices of Parents or Guardians with severe impacts.

There are free antivirus programs, but my recommendation goes to the paid ones, in that their identification rate and recovery capability are usually higher, and they also include priority support.

And it is not always apparent at moment zero that devices are infected. To give you an idea, there are companies that, when they realize they have been attacked, find that the attackers had already had access to their systems for months.

So invest in good antivirus to protect yourself. You pay for a one-year subscription, and that subscription usually includes more devices, allowing you to protect 5 or 10 devices - which can be computers, tablets, and phones - thus protecting the whole family. You can, for example, use (affiliate link) Bitdefender.

Use a Virtual Private Network (VPN)

As mentioned above, a VPN creates an encrypted tunnel between your device and the VPN server, which means that if someone captures the traffic, they will not be able to interpret it, because it will be encrypted. This gives you privacy, because neither your Internet Service Provider (ISP) nor other entities will be able to see your traffic.

When choosing a VPN, you should make sure it has a certified no-logs policy - that is, that no data about your traffic is stored - because otherwise you would be protecting yourself from some entities but giving information to the VPN provider.

VPN services like (affiliate links) Proton VPN NordVPN Bitdefender VPN are recognised as trustworthy.

Only use official sources

If apps with malware are installed even via the official stores, imagine what happens through unofficial channels. The tip here is to use, as much as possible, only official sources, that is:

• On Windows, the Microsoft Store;

• On macOS, the App Store;

• On Linux, the distro’s official store;

• On Android, the Play Store;

• On iOS, the App Store.

This doesn’t mean you can’t install applications from other sources, which is actually quite common on computers. But in that case you should be extra careful and make sure you are downloading from the official sources.

Keep operating systems and applications updated

Operating system and application updates don’t just deliver new features; they also fix bugs and vulnerabilities. It is therefore recommended that you always keep your operating system and applications as up to date as possible.

I recognize that it’s a nuisance to have your device unavailable while the update is being installed; however, I emphasize their importance, especially the critical ones, which protect the device from newly discovered threats, thereby preventing them from being exploited against you.

Replace devices that have reached End of Life (EOL) and, in particular, End of Support (EOS)

Just as it is important that, when renewing your contract with your telecom operator, you request the replacement of your router with a newer one, it is also important to do the same with your devices. Pay attention to the dates on which they reach End of Life (EOL) and especially End of Support (EOS).

The term End of Life means that the manufacturer has stopped making more of those devices, and End of Support means that it has stopped providing support for them. This means it has stopped releasing updates, such as security updates, which prevent vulnerabilities from being exploited.

When this happens, the time has come to update your hardware with a new one.

Naturally, technology is not cheap and it is not always possible for us to stay up to date, but it is important to be aware that the older your devices get, the more vulnerable they are. That is, over time more and more flaws are discovered, and if the device is no longer receiving security updates, the vulnerabilities will become increasingly well known. There are websites on the Internet that list vulnerabilities for the general public.

Pay attention to app permissions

It is also essential to be careful about the permissions you grant. For example, it may be strange to have a fitness app requesting permission to access your device’s contacts, or a football scores app requesting permission to access your calls.

The same can happen with the apps your children install. A game that requests permission to use the camera and the microphone - does it really need that permission?

When we grant these permissions, we allow these applications to have access to our data or to perform tasks we don’t want them to perform.

So pay attention to the permissions you grant, and from time to time carry out a review to remove the permissions that don’t make sense for the scope of use of the application in question.

Uninstall apps you don’t use; disable features that aren’t useful to you

Kids tend to install endless games. They install one, play it for a while, get bored, search for and install another, play it, get bored, and the cycle repeats for days, weeks, months… Sometimes Parents or Guardians only notice this when the device gets slow and runs out of space.

This not only affects the device’s performance but also increases the likelihood of mishaps. Remember that each app or game you install increases the likelihood of your device having vulnerabilities that can be exploited. So uninstall the apps or games you don’t use.

You should have the same mindset with other technologies or features of your device. For example, did you know that Bluetooth has vulnerabilities that are frequently exploited? If you’re not using it, turn it off. You’ll save battery and reduce the attack surface.

Take special care with cameras and microphones

There is nothing more secure than combining software controls with physical controls. That is, if one fails, the other is there to compensate. To give a concrete example, if a particular malicious application activates the camera behind your back, if you have a physical blocker, all the person will see is darkness.

The same happens if you have a physical microphone blocker. Even if someone bypasses the software controls, they won’t be able to hear anything - I wrote about this here.

Believe me, this happens more often than you think, and more easily than you imagine. And if you don’t have good antivirus, you could be being spied on without even realizing it - including by apps that hide themselves in the apps menu.

In the specific case of assistants, disable the microphone whenever they are not being used.

Protect Your Online Accounts

The cloud has greatly simplified our lives. Consider, for example, swapping devices. We set up a new device with our account and, voilà, our contacts, emails, and photographs are already available on the new device without us needing to transfer them manually.

The value of the information that online accounts contain is usually quite high for individuals and companies. It is imperative to protect them as best as possible. However, this is not always done, and the consequence is that they can end up being broken into by strangers, unauthorized people.

And no one wants to have a stranger with access to their emails, reading private documents or notes, viewing family photographs, etc. But to avoid this, it is important that you observe some best practices that I describe below.

If you want to learn more about this subject, I invite you to read the article I wrote on this topic: Password Management - Best Practices to Know.

Set up strong passwords

Start by setting up strong passwords. Be aware that short passwords are easily guessed by software widely available on the Internet, and that a password starts to be considered strong from 14 characters onward.

For a password to be strong, it doesn’t need to be hard to memorize. A very effective technique is to combine 3 random words, such as “window-sun-beach”, apply upper and lower case, add numbers and special characters, and you end up with a password that takes centuries to guess.

Replacing “a” with “@”, “E” with “3”, “T” with “7”, or “O” with “0” only makes them harder to memorize and type, and doesn’t really add security to passwords, because software has long been programmed to do that too. Just to give you an idea, the password “P@ssw0rd123!” takes only 2 minutes to crack.

Use unique passwords for each service

Never use the same password for all your accounts! Strictly speaking, the ideal is for each account to have a unique password that is not used on any other account.

The mindset here is that if one account is compromised and you use the same password on other accounts, you can already see what is going to happen, can’t you? Instead of one compromised account, you’ll have several.

A concrete example is using the same password for your Gmail and Instagram accounts. If someone discovers your Gmail password, they will not only be able to read your emails but also access your Instagram conversations and, who knows, post in your name.

Teach this to your children from a young age. Remember that as they grow they will have more and more exposure to technology and, consequently, more and more accounts. Each new account should have a new password.

Encourage your child not to share passwords outside the family circle

In their innocence, children - and even adolescents - can sometimes share their passwords with friends or schoolmates, and also with other people outside the family circle.

This is dangerous, because no matter how well intentioned the other person may seem, the temptation to access our private data can be great. Moreover, often the best way to spread a piece of information is to ask someone to keep it secret. That is, what certainty do we have that that person won’t share our credentials with other people, even more distant from us?

Don’t let your young children know account passwords, especially if they contain sensitive data. But if they already have their own accounts or if they know your passwords, do some awareness-raising work to prevent them from being caught out like the people in the video below.

Use password managers

To help us easily manage the growing number of accounts we have, as well as to simplify the best practices of having passwords that are complex enough not to be easily guessed, different for each service, among others, the use of a password manager is indispensable.

Services like (affiliate links) Proton Pass, 1Password and NordPass are recognized as trustworthy services and are widely used.

Secure storage of passwords

First of all, password managers store your credentials securely. This means they use strong cryptography so that, even if their servers are compromised, no one can view your passwords.

Organization

Password managers also have the great advantage of allowing you to store the whole family’s credentials in an organized way. That is, you can create virtual vaults in which you store each of the passwords. For example, a vault for your own credentials, another for your child’s credentials, another for your parents’ credentials (in case you help them in this virtual world), etc.

In addition, besides the name/label you can give to each of your credentials, you can specify the website address. This way, the password manager will be able to identify the credentials it has to use whenever you access a site where you have an account, simplifying the process.

Creation of secure passwords

These services usually offer features to generate passwords with the characteristics you want; that is, you can specify the number of characters, whether to include numbers and special characters, and they even indicate the strength of the password you are generating.

You only have to memorize a single password

That’s right, you only have to memorize the master password, which you will use to access and decrypt all the others. You don’t need to memorize any other password, because they will all be stored within the service, so from the moment you are logged in, you can view or copy the passwords you want, or even use browser extensions that do it for you.

And since you only have to memorize one password, what’s the issue with generating passwords with 16, 32, or 64 characters for the services you use? The effort of logging in will be the same regardless of the number of characters the passwords have, and at least it ensures they are secure.

Simplicity in login: extensions and mobile apps

Password managers offer extensions for the best-known and most widely used browsers, as well as apps for Android and iOS, which greatly simplify the entire login process.

Enable Multi-Factor Authentication (MFA)

Multi-Factor Authentication adds an extra layer of security to your accounts and your children’s accounts, by requiring one or more authentication factors in addition to the username and password. In other words, without MFA enabled, you can log into the account using just the username and password. If someone somehow discovers that data, they can access your accounts with no further obstacle. With MFA enabled, after entering the correct username and password, it is necessary, for example, to enter another code or approve the login on a different device, which proves that the account is really yours.

That other code can be sent by SMS, email, or it can be a hardware token or even one from an Authenticator-style app, such as Google Authenticator or Microsoft Authenticator.

I know it’s a nuisance to have to resort to extra codes to log into accounts, but believe me, this is a powerful configuration for protecting your accounts. Furthermore, you can increase login simplicity while increasing account security by setting up passkeys or using security keys such as the Yubikey, which allow you to log in without a password.

Learn more about this subject in the following article I wrote: Why you need to activate Multi-Factor Authentication (MFA) immediately

Set up Parental Controls

Parental controls allow you, as the name suggests, to have some control over the devices and applications used by your children. When enabled, the device or the application understands that it will be used by a minor, and immediately performs content moderation so that the child only views information appropriate for their age.

In addition to this adaptation of content to age, it will also allow you to set the total time limit you allow the child to use the device or application. After that time, it gets blocked and the child will have to enter a code to unlock it - a code known only to the parent. That is, you can set your dependent to use the tablet for a maximum of one hour, with the device getting blocked after that hour.

This way, you complement your household rules with an effective lock, preventing the little ones from taking advantage of a moment when you lose track of time, or while you’re dealing with other tasks. It also prevents possible secret use.

These tools also provide access to usage statistics and even notifications, as they are linked to your own device and/or application.

I do not, in any way, advocate that children should not use technology. On the contrary. I think the teaching of technology lags far behind what are the actual current and future needs, and behind all the doors it opens. People with technological literacy will increasingly have opportunities that cannot be granted to those who lack it. I am also not the right person to talk about the limits that should be set, since that may be a role for psychology professionals. However, I cannot fail to stress the importance of children playing and learning without technology, especially outdoors and with other children, which is why I advocate that limits be set.

Protect your bank account

One of the problems that occurs fairly often is children buying games, in-game items (such as virtual houses, cars, clothing, or others), or activating subscriptions through the mobile device stores, such as the Play Store or the App Store. This happens because parents associate their physical debit or credit card details, which is something you should never do.

Instead, a safer way to avoid unpleasant surprises on your bank statement - from payments made without your consent - is to create bank cards and define what use you want them to have; that is, you can create cards for:

• A single purchase, where you make a single payment and can’t buy anything else with that card. In other words, services also can’t charge you anything more on that virtual card;

• Multiple purchases, where you can make several purchases with that card;

• Recurring payment, which is useful, for example, for the monthly subscription of a service.

For each of the options above, you can set the card’s validity, as well as the limit amount that can be charged. You can also cancel the cards at any time, with no impact on your physical card.

Financial apps are increasingly offering these features, just like the well known MBWay in Portugal and Pix in Brazil.

In addition, and because protection is built in layers, you should configure the app stores to always ask you for the account password before any purchase is authorized. If that password is not shared with your children, they will always have to come to you, regardless of which card is configured. But watch out for shoulder surfing while you enter the password - that is, you should not let your children see the keyboard or the screen while you enter the password. Believe me, they memorize it in an instant!

Learn more details about this subject in the article I wrote on how to protect bank cards - Bank Cards - Learn How to Protect Them

These are some of the attacks carried out on bank cards that it is important to know about, and we will address them in this article, providing the necessary details to help you protect yourself against them:

• The theft of bank card data, which allows a malicious actor to make payments with them, can be carried out by observing physical cards or compromising platforms where you have used them and that store your data to make it easier for you to use the same cards for future payments;

• Contactless technologies allow a criminal to bring a payment terminal close to your pocket to make unauthorized payments, as payments up to certain amounts do not require PIN entry, or to copy the data from your bank cards;

• The cloning of bank cards in ATMs and gas station pumps, using disguised technology;

• Among others.

Knowing the existing vulnerabilities is essential to protect your payment card accounts from unauthorized transactions.

The evolution of payments with bank cards

The first bank cards appeared in the 1950s. In the United States, Diners Club launched the first multipurpose credit card, made of paper, allowing consumers to make purchases at a limited network of establishments.

A few years later, in 1958, American Express and BankAmericard (now Visa) launched their own bank cards.

In 1966, Master Charge (now Mastercard) was introduced.

Get to know the main types of bank cards used today, as well as the most modern ways to make payments.

Magnetic stripe bank cards

Magnetic stripe cards, developed by IBM in 1969, store information in a static manner that is read at payment terminals. Since they do not use encryption and the information never changes, they can be easily read and copied onto a blank card by anyone with a magnetic stripe reader, potentially being used for unauthorized payments by the consumer.

EMV contact chip bank cards

EMV contact chip bank cards were first developed in 1994. The first EMV chip cards were launched in Europe in 1996, and global adoption began in 2000. They require physical insertion into payment terminals to complete a transaction and use encryption to generate a unique code for each transaction, known as a cryptogram, which is validated by the bank. Since this code can only be used once, it makes cloning more difficult, thus offering greater security compared to magnetic stripe cards.

However, although considered more secure than magnetic stripe cards, they are not completely immune and several attacks are known. Given this, it is important not to let your guard down.

EMV chip contactless payment cards

EMV contactless cards use Near-Field Communication (NFC) technology, making them more convenient to use and, in a way, more secure since they do not need to be inserted into payment terminals.

However, to maximize their security, it is necessary to store them properly in wallets or cardholders with Radio Frequency Identification (RFID) blocking technology. Otherwise, they are susceptible to data being read without your knowledge. We will discuss this type of wallet further down in this article.

Mobile Devices

Contactless Payments (NFC)

Mobile payment using devices like smartphones, tablets, and smartwatches through proximity using NFC technology has made payments even more convenient, as we typically have our phone more readily available than our bank cards.

In this type of payment, it should be ensured that biometric authentication is requested for each transaction to guarantee that unauthorized payments are not executed.

Digital wallets (e-wallets)

Digital wallets, such as Apple Pay and Google Pay, become even more convenient by allowing both in-person (NFC) and online payments through the same app.

These transactions should also be protected with biometric authentication, ensuring that unauthorized payments are not made.

QR Codes

The use of QR Codes for making payments is widely adopted, especially due to its simplicity, as it doesn’t involve inserting or tapping anything - just scanning a QR Code.

Physical protection

Store your bank cards securely

For some years now, banks have been issuing contactless cards equipped with RFID technology, allowing you to simply tap the card on the payment terminal instead of inserting it and entering a PIN.

This has undoubtedly simplified payments, but it has also introduced an inconvenience that many have already experienced: if someone brings a payment terminal close to your card while it’s in your wallet and in your pocket, for example, money can be withdrawn from your account without you even noticing!

In other words, the infamous pickpockets have had their lives made somewhat easier. Instead of risking being caught stealing a wallet from a pocket, they simply need the right moment to approach with one of these devices. If the payment is below a certain amount (€50 in Portugal), no PIN is even required.

Another vulnerability is the copying of card data through proximity.

To prevent this, you should purchase an anti-RFID wallet, which blocks electromagnetic fields, thus preventing this trick. There are many available on the market to suit all tastes and budgets.

Your bank card should be physically non-transferable

The most important thing to remember is that your card contains information such as the number, expiration date, and security code (CVV). These three pieces of information are enough for a malicious person to make online payments with your card.

Taking this into account, think twice before handing your card to anyone.

Sometimes, store employees, when it’s time to use the payment terminals, stretch their hands to ask for the card, aiming to insert it into the terminal themselves. Even though the security code is intentionally placed on a different side than the card number and expiration date, there is no reason for you to hand the card to anyone, instead of inserting it directly into the terminal yourself.

The same applies when bank employees ask for your card to retrieve your account number in order to perform any banking operation. Although these employees have access to sensitive details of your account as part of their role, there is no justification for them to ask for your card. Refuse to hand it over and provide them with your account number instead. Alternatively, using your identification, the bank can easily retrieve your account number.

These are some of the problems that can occur when you hand your card to others:

• Card cloning – the store or bank employee could discreetly clone your card using a device they have.

• Exposure of card data – the employee could observe and even copy the details of your card, which would allow them to make online payments or sell the data.

• Lack of control over the transaction – in stores where you are making payments, by not personally placing the card in the terminal, you lose control over the transaction. For example, you may not be able to control the amount you are being charged.

Pay attention to where you insert your bank card

Automated Teller Machines (ATMs), commonly referred to as cash machines, as well as card readers at fuel station pumps, are frequent targets of disguised technology that captures debit and credit card data without the customers suspecting. Before they realize, hundreds or even thousands of Dollars/Euros may have been stolen from their accounts.

ATMs, many of which are available on the exterior of banks and other locations, provide a convenient way to withdraw money and perform other banking operations without the need to go to the bank and wait for assistance from an employee.

Gas stations, especially the more recent ones, are equipped with card readers on the pumps, allowing customers to pay for fuel right there, instead of having to go to the attendant inside the counter at the gas station building.

Despite all the convenience, these devices often lack the same level of surveillance as those found inside banks, making them easy targets for criminals. Card cloning technologies and fake keypads are very similar to the legitimate ones. Some store data internally, requiring criminals to return to the location to collect it, while others transmit it in real-time via mobile data, wireless networks, or Bluetooth.

Follow these tips to detect fake equipment and avoid falling into these traps:

• Pull the keyboard and card reader to check if they come off easily;

• Pay attention to the spelling on the equipment. Just as often happens in phishing emails, many criminals are not fluent in your language, and spelling mistakes are often indicative of something unusual;

• If errors occur after inserting the card and entering the PIN, it may indicate that something unusual is happening, and that a criminal may have already received your data.

In addition to these points that can help you detect these devices, there are other ways to avoid falling into these traps, such as:

• Use cash whenever possible.

• Check your card transactions frequently.

• Avoid ATMs located outside of banks.

• Always cover the keypad as best as you can while entering your PIN. Some of these schemes involve installing mini-cameras pointed at the keypad, recording the PIN you enter. Although this won’t prevent your card data from being copied or a cloned card from being used in payment terminals, it will make it harder for criminals to empty your bank account, as they won’t have your PIN.

That said, it is crucial that these devices are equipped with anti-tampering technology, which prevents the installation of these disguises.

These attacks are known as skimming when they target magnetic stripe bank cards, and shimming when the target bank cards contain EMV chips.

Skimming

Skimming is an older attack targeted at magnetic stripe cards, involving the reading of their data using a card reader. Since the information is static, never changes, and no encryption is used, it is easy to clone these cards.

Shimming

Shimming is an attack similar to skimming, but aimed at EMV chip cards. It is less common and less effective because, while skimming allows cloning of a magnetic stripe card, shimming captures some data from the EMV chip but cannot generate the unique cryptogram used for each transaction. This cryptogram cannot be reused, so it is not possible to create a functional copy of an EMV card. However, these captured data could be used in transactions where only static data is needed, such as magnetic stripe transactions, if the merchant’s system security is low.

It is also worth noting that shimming devices are harder to detect, as they need to be installed inside the equipment, requiring dismantling to identify them. This makes them more challenging to spot compared to traditional skimming devices, which are often more visible and easier to spot by the consumer.

Secure Online Payments

Connect to the Internet securely

If you are going to make online purchases and therefore share payment details, make sure to:

• Use a personal device instead of a public or someone else’s device. This is an important step in helping to ensure, to some extent, that you are actually visiting the website you intend to and that the data you enter is not intercepted.

• Use a secure connection. Avoid public wireless (Wi-Fi) networks, such as those found in cafés, airports, hotels, etc. If you must use them, it is recommended to use a trusted Virtual Private Network (VPN).

Once these steps are ensured, it is also important to verify that you are connecting to the genuine website. That is, type the address of the service you want to access directly or, if you are searching for it on a search engine, be cautious not to click on fake sites posing as the one you want to visit. Well-known cases exist where users are deceived by a site that closely resembles the one they intend to visit. In such cases, the data entered on the site is sent directly to malicious individuals who created it online with the sole purpose of stealing your card details. To avoid this issue, besides being careful when clicking on search results, it is essential to check the address in your browser’s address bar to ensure that it is indeed the site you want to visit.

Prefer services that comply with PCI-DSS

No matter how careful you are, when sharing your card details with e-commerce websites, you’re taking on risks that you can no longer control. If these websites don’t follow certain precautions, your card details and personal information (such as your name and address) could be accessed by unauthorized individuals.

Being compliant with the Payment Card Industry (PCI) means adhering to security standards outlined in the Payment Card Industry Data Security Standard (PCI-DSS). These standards ensure that companies that process, store, or transmit credit card information take the necessary steps to protect cardholder data, preventing data breaches, fraud, and unauthorized access.

E-commerce platforms like Shopify and WooCommerce strive to comply with PCI-DSS and provide information on the topic at the following links, respectively:

• Viewing Shopify’s compliance reports

• PCI-DSS Compliance and WooCommerce

Use virtual cards

A virtual card is similar to your physical card, but with some advantages, including:

• You can create multiple cards - That is, most services allow you to create multiple virtual cards based on your needs. This means, for example, that you can have a different card for each service you use or, if you prefer, for each payment you make.

• You can specify whether the card is for one-time use, for multiple purchases, or for recurring payments for a service.

• You can specify the card’s maximum spending limit.

In addition to these advantages, you can cancel any virtual card at any time. That means if you cancel a subscription to a particular service and want to ensure that the cancellation is effective, you can cancel the card. This way, if the service tries to charge the subscription fee, they won’t be able to. However, before canceling a card, check which services are being charged to it, as canceling the card will affect them all.

Conclusion

In summary, the important takeaway is that your card data is of great interest to those involved in the criminal world, so:

• Avoid magnetic stripe credit cards and prefer EMV chip cards as they are more secure. Use NFC or QR Code payments when possible, preferably configured to require authentication with biometric data.

• You should never hand your physical card to another person.

• You should never share your physical card details (such as the number, expiry date, and security code) in person or online. Instead, create virtual cards with usage limits.

• You should store your cards in RFID-blocking wallets to prevent payment terminals from being placed near your pocket, making unauthorized payments, or attempting to read your card data.

• You should pay special attention to ATMs and fuel station pumps, as they are common targets for disguised technology aimed at cloning your cards.

• Make online payments using your own devices and internet connections, and ensure that you use reputable e-commerce services that comply with PCI-DSS.

The Evolution of Passwords

Simple Passwords and Stored Without Security

Initially, passwords were short and stored in plain text (without any encryption) in systems. Any intruder who gained access to the database where they were stored could view these passwords, as they were saved in a readable format. Since people typically used the same email and password across multiple systems, these intruders could access several accounts of the same individuals with little effort.

Hashing and Encryption

Systems began converting passwords into hashes using cryptographic hash functions. In other words, the password was no longer stored, only its hash. Whenever the user logged in, their password was converted into a hash using the same algorithm, and this hash was compared with the one stored in the database. This ensured that even if an attacker obtained the file or database, they could not easily recover the original passwords, as hash functions are irreversible.

Later, it became clear that although moving from storing passwords to storing their hashes was a significant improvement, it was not enough to store user credentials securely due to an attack known as rainbow tables. In this attack, intruders had tables with hashes and their plaintext equivalents. As a result, today it is recommended to add a salt to the password and convert the password + its salt into a hash. This ensures that even if two users have the same password, the result of password + salt will be a different value, making it much more complex to crack.

Increased Complexity

As users were creating passwords that were too simple, it became possible to crack them using brute force or dictionary attacks. As a result, companies began implementing policies that required frequent password changes (at least every 90 days), as well as increasing password complexity. This meant requiring passwords to contain uppercase and lowercase letters, numbers, and/or special characters. The prohibition of reusing previous passwords was also introduced.

Multi-Factor Authentication (MFA)

Due to the rise in phishing attacks and keyloggers, Multi-Factor Authentication (MFA) was introduced. Now, in addition to the username and password, another factor was required, such as a code sent via SMS to the user’s mobile phone or a hardware token.

One-Time Password (OTP) systems, such as Google Authenticator (Android; iOS) and Microsoft Authenticator (Android; iOS), were also implemented.

If you want to get familiar with Multifactor Authentication, read this: Why you need to activate Multifactor Authentication (MFA)

Password Managers

As the number of accounts per individual grew, password management systems began to emerge. These systems allowed passwords to be stored securely (using advanced encryption) and organized, as well as accessed in a simple manner.

In addition, they included a password generation feature, allowing users to create long and complex passwords without the need to memorize them. They also encouraged the use of unique passwords for each system.

Elimination of Passwords and Biometrics

Currently, we are witnessing a transition to passwordless authentication. Protocols like FIDO2, which are considered highly resistant to phishing, enable authentication without the need for passwords, using passkeys and physical security keys, such as Yubikeys, among others.

This approach makes the authentication process not only more secure but also simpler, by using methods such as biometrics—e.g., fingerprint scanning or facial recognition.

But in the present, the mistakes of the past are still being made.

Unfortunately, even today, there are systems where passwords are stored in plaintext or hashed without a salt; individuals and companies that still don’t enforce a secure minimum password length; a low rate of Multi-Factor Authentication usage (whether it’s due to systems that still don’t offer it, or users who, despite systems having it available, haven’t activated it), and more.

How long does it take for a password to be discovered?

The following graph shows the strength of some passwords, highlighting that the length, that is, the number of characters, is what gives them the most strength, making them harder to guess with each additional character.

You can test some passwords and see how long it would take for them to be cracked here.

What are secure passwords?

The answer to this question has changed over time. For example, in 2003, when NIST Special Publication 800-63, Appendix A was published, it recommended that passwords should contain uppercase and lowercase letters, at least one special character, and at least one number. It also advised that passwords should be changed frequently, at least every 90 days.

This led most users to replace some characters with numbers, which became highly predictable, even for software programs designed to guess passwords. Knowing that these substitutions were common, developers programmed the software to also make those substitutions. This could result in the password “P@ssW0rd123!” to be cracked in 6 minutes or less.

The requirement to change the password every x days also led users to only add or replace one character, keeping the rest of the password unchanged, which does not provide a significant security improvement.

The cartoonist Randall Munroe published a comic on xkcd that became popular by highlighting that the password “Tr0ub4dor&3” (something like “Tr0v4d0r&3”, meaning troubadour with substitutions and additions) could be cracked in just three days, due to the predictable use of uppercase and lowercase letters, character substitutions with numbers, and the use of special characters. Meanwhile, the password “correct horse battery staple” would take 550 years to crack. He also commented that “After 20 years of effort, we’ve correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

You will probably agree that the passphrase “correct horse battery staple” is easier to remember than the password “Tr0v4d0r&3,” especially if you visualize an image in your mind.

The author of the NIST document, Bill Burr, later expressed regret for these recommendations, which were misinterpreted and led users to adopt predictable practices, even though his recommendations aimed to make passwords more robust.

The National Institute of Standards and Technology (NIST) published a new document, known as NIST Special Publication 800-63-3, in 2017, which was revised in 2020. This document is widely adopted by the industry as a reference for authentication management and identity security.

Use long passwords

One of the main factors, if not the most important, that makes a password secure is its number of characters. The more characters it has, the harder it is to guess.

Short passwords are easily guessable in an attack known as brute force, where software tests all possible character combinations. It’s a time-consuming process, but it can sometimes yield quick results, especially when the passwords are too short.

Nowadays, none of your passwords should be less than 14 characters.

Ideally, you should create passphrases instead of passwords, meaning using a phrase. Joining words like “I like Nelson Lopes’ newsletter,” along with numbers and other characters, can create an excellent password.

Use random words

Avoid using passwords that contain words related to you or someone close to you. These words are the first to be tried, especially based on what the attacker knows about you (for example, what you share on social media).

In other words, creating passwords with data that could lead back to you is half the battle for them being cracked. For this reason, it’s good practice for passwords not to include the username of the associated account, your name or the names of close family members, your birthdate, your phone number, etc.

The goal is to choose a passphrase that contains words that don’t make sense together, making it harder for any system to guess them.

The replacement of characters with their numeric counterparts no longer works

At one point, some characters were replaced with similar-looking numbers, such as “E” with 3, “T” with 7, and so on. But just as account holders made these substitutions, the software used by attackers to crack passwords was also programmed to do the same. Taking this into account, this type of substitution no longer provides strength to passwords.

Do not repeat passwords

One of the main mistakes people make is using the same password for multiple accounts. Imagine that somehow someone discovers the password for one of your accounts. By knowing your username or email, they can now try the same password across several other services.

In other words, to give a concrete example, suppose you use the same password for Instagram as for Gmail. If someone happens to discover your Gmail account, they will also be able to access your Instagram account. Not only will they be able to read your emails, but they may also read your Instagram conversations and, who knows, even post on your behalf.

If you use business systems, it is very important for both you and the company you work for that you don’t use the same passwords for your personal accounts and your business accounts, and vice versa. This is for similar reasons as described above - if any of your personal accounts are compromised, your business accounts are more likely to be compromised as well, leading to significant negative impacts for the organization. On the other hand, if the company’s accounts are compromised, the attack may extend to your personal accounts, which I’m sure you want to avoid!

All of this can be solved simply: each account should have a password different from all the others.

Do not reuse passwords

At this point, what I want to tell you is not to use passwords you’ve used in the past. They surely have some trace on your side or on the systems where you used them. Let your imagination flow and create new passwords.

Organizations should not require password changes. This does not mean that you shouldn’t change your passwords

NIST, along with other organizations, does not recommend password changes based on studies that showed this practice often led users to adopt predictable and weak passwords. A password change is only recommended if you suspect it has been compromised.

Therefore, they encourage organizations not to require frequent password changes, unlike the previous recommendation that sought to enforce a change at least every 90 days, and they complement this recommendation with the advice to have Multi-Factor Authentication enabled.

The user is no longer required to change the password; however, they should keep in mind that one way to ensure that if a particular account is compromised, unauthorized access by third parties is not continuous (even when unaware of the breach), is to periodically change their passwords. This is especially important for services that still don’t offer MFA (which, unfortunately, are still many), but also for those that do, as we know that certain MFA methods can be vulnerable.

Be mindful of where you store your passwords

Never store your passwords in places where they are in plain text, without encryption. For example, you should never store them:

• On paper, such as post-its;

• In computer or phone notes;

• In spreadsheets;

• On the covers of mobile devices;

• Etc.

If you do this, anyone with access to the paper or your session, physically or remotely, will be able to read the password. This is, in fact, one of the most common mistakes. It’s quite practical because the password stays on a post-it stuck to the monitor or in a file on the desktop, ready to be copied to the login page… by you and by anyone else who can access it, as it’s fully readable.

The ideal way to combat this and still maintain simplicity is to use a password manager, as I discuss further down in this article.

Do not store your passwords in browsers

Browsers have had the ability to store credentials for some time now, aimed at simplifying the user’s task. However, their use is not recommended because many don’t use robust encryption methods, and someone with physical access to the machine can extract them.

Do not share your passwords, but if you do, make sure to do it securely

If you share the password to your Netflix account with a friend so they can watch movies without paying, and use the same password for Gmail, you can see what might happen, right? And it’s not just about your friend, who might even be an honest person, but do you have guarantees that they will store that password properly?

Especially in the business world, it’s very common for users to share their passwords with colleagues when they go on vacation or are on leave, so colleagues can follow up on received emails and other matters. Don’t do this! And if you’re in charge of a department or have the ability to enforce security policies, prohibit people from doing so. Instead, they should request the IT department to forward emails and calls from the absent person to their substitute.

The truth is that the more people you share your password with, the greater the risk to your account. I don’t know if you store your passwords properly or not, but remember that the person you’re sharing your credentials with may not take the same precautions.

Remember: the responsibility to protect your account is not just that of the service provider or your company’s IT department (if applicable), it is also yours.

However, sometimes we do need to share a password. In these cases, email and SMS are channels to avoid! Use password managers like (affiliate links) Proton Pass, 1Password or NordPass, which offer secure password sharing functionality, or use secure communication apps like Signal or Telegram.

Use a Password Manager

Password managers allow you to store all your passwords securely (data is encrypted), in a simple and organized way, making the management of your credentials much easier. Believe me, when used properly, they are a true game changer.

With a password manager, you only need to remember one password - the master password. Yes, just one: the one required to decrypt all the others. This password should be long and complex, but you must ensure it’s one you can remember because if you forget it, you might lose access to all the others.

So, what difference does it make to create the remaining passwords with 32 or even 64 characters? I know this might seem daunting or even ridiculous to some people, but… give it a try. It won’t make any difference to you since the passwords will be automatically filled by your password manager, or you’ll just need to copy them. You won’t have to memorize or type them, and you’ll have the confidence of using a secure password! Of course, this depends on whether the service allows such long passwords. Unfortunately, many services still limit passwords to only 8 or 10 characters, which is incomprehensible.

You can organize your passwords into vaults. For example, you can have a vault where you store the credentials for your personal accounts, another for your partner’s credentials, another for your children, one for work, and so on.

You can use browser extensions that automatically fill in credentials on the websites you visit. The most well-known password managers offer extensions for the most widely used browsers.

They have mobile apps that do the same for the applications you install, whether on Android or iOS.

They can be local or cloud-based. If you don’t trust the cloud enough to store such sensitive data there, you can use password managers like Keepass, whose database remains only on the device where it is installed. However, if you want to access the data on another device, you’ll need to copy the database to that device. This might not be very practical because, whenever you add or change a password, you’ll have to update it on both devices or copy the database from one to the other again. Some people use online file services to synchronize the database across devices, but this is not as simple as directly using a cloud service like (affiliate links) Proton Pass, 1Password, NordPass, etc.

Enable Multi-Factor Authentication (MFA)

No matter how secure a password is, you should always keep in mind that it can be discovered. For instance, if your device has a keylogger, every keystroke is recorded and sent to the attacker. In this case, no matter how complex your password is, its complexity becomes irrelevant once it is transmitted to the perpetrator.

To help resolve this and other issues, Multi-Factor Authentication (MFA) adds an extra layer of security to your accounts by requiring another factor whenever you log in. For example, this factor could be a One-Time Password (OTP) generated on your mobile device, through an Authenticator app, which you must enter on the website you’re logging into in order to gain access. In this case, in addition to your password, your device would be required to successfully log into the account.

Know more about Mulfitactor Authentication in this article: Why you need to activate Multi-Factor Authentication (MFA) immediately

Go passwordless

As we know, passwords are vulnerable and remain a challenge in securing online accounts. However, there are protocols designed to address the weaknesses of passwords, making access more secure and simple. Click here for more details.

Other precautions

In addition to the best practices mentioned above, which are more directly related to passwords themselves, there are a number of other concerns you should keep in mind.

Use a secure internet connection

It is known that even our home connection is not completely private, as the ISP (Internet Service Provider) can see where we are browsing and even view traffic that is not encrypted.

Worse than this is the use of public Wi-Fi networks, such as in cafes, airports, or hotels.

Consider using a VPN that encrypts all your traffic from your device to the VPN server you’re connected to. This way, all systems in between will only see encrypted traffic and won’t be able to decipher what is passing through. However, you should be cautious when choosing a VPN service. Specifically, the VPN should be audited to ensure that it does not keep logs of your browsing activities, as just like the ISP can see your traffic if you don’t use a VPN, the VPN provider will also be able to view it.

Services like (affiliate links) Proton VPN, NordVPN and Bitdefender VPN are recognized as trustworthy services.

Only visit HTTPS sites

When you access a site whose address starts with HTTP://, it means that the traffic between your device and the website’s server is not encrypted. When this happens, if the traffic between your device and the server is intercepted, the data, including your password, is readable by third parties.

Always check if the address you are accessing starts with HTTPS:// or if there is a closed padlock (sometimes green) next to the address bar, as seen when visiting nelsonlopes.net.

HTTP stands for Hyper Text Transfer Protocol, and HTTPS stands for Hyper Text Transfer Protocol Secure. The Transport Layer Security (TLS), which replaced Secure Sockets Layer (SSL) and corrected several of its vulnerabilities, is the protocol responsible for encrypting communication in HTTPS.

Always check the website address you are visiting

Is the website you are accessing the one you intend to visit, or is it an exact copy? Pay close attention to the address in the browser’s address bar. There are well-known cases where the similarities are so strong that the user enters their credentials on a fake website, thinking they are on the real one. Believe me, there are exact copies where the differences are even hard for the trained eye to spot.

To avoid being deceived, always check the address.

Notifications when you log in

Prefer services that send notifications whenever you log in. This way, if you receive one of these notifications and you are not logging in, you will know that something is wrong and should act quickly to minimize the issue.

If the system does not send these notifications, check if it shows the last login or has a visible login log. If it does, take a look from time to time to make sure everything is fine or to detect any issues. If you suspect that a login wasn’t yours, reset the password immediately.

Account lockout due to wrong attempts and CAPTCHA

Also, prioritize services that lock the account (temporarily or permanently) after a certain number of failed login attempts. This way, brute force and dictionary attacks are ineffective, as these processes are already slow (when passwords are secure), and with these locks, they become impractical.

Websites should also use CAPTCHA systems (Completely Automated Public Turing test to tell Computers and Humans Apart) to filter human users from bots.

Secure password storage

Prioritize services that do not store your passwords. Yes, that’s right, I repeat, prioritize services that do not store your passwords. Services should never store the passwords of their users, but rather their hashes.

But this is not enough, as it would still be vulnerable to rainbow table attacks. A salt should be added to the password before hashing the password + salt.

How to test if the password is secure?

Password managers themselves usually have the functionality to indicate whether each of your passwords is secure, even alerting you to those that are not. Some even have statistics so you can get a quick overview of the status of your credentials.

In addition to these, there are some online services that also perform this check, like this one.

Conclusion

Attacks to discover credentials have evolved over time, along with computational power, greatly reducing the wait time for those engaging in such activities. To counter this, it is essential to pay attention to some basic precautions described in this article. These precautions can be applied directly by the reader, but others must be implemented by the services they use. Therefore, it is important to manage your passwords well, but also to stay vigilant about the quality of the services where you store your information.

X, formerly Twitter, the social network owned by Elon Musk, just updated its For You page algorithm and I went through the 20000+ lines of code to analyze it and create this article, so you can understand what actually works now when posting to X.

I mean, maybe I didn’t actually go through all those 20000+ lines myself… there’s a chance I shortened it with AI 😇

The X For You page algorithm is now open-source here: https://github.com/xai-org/x-algorithm, so I started by cloning the repo to my computer.

You can do the same with this command:

git clone https://github.com/xai-org/x-algorithm.git

Then, move into the downloaded directory with this command:

cd x-algorithm

And execute Claude Code:

claude

You should then see a window similar to this one:

I told Claude what the directory contained and asked it to analyze the entire codebase.

What Actually Works in X’s New For You Algorithm

Optimize for the full action surface, not just likes.

Every time you post, the algorithm gives your content a score. Positive engagement (likes, replies, reposts, bookmarks, time spent) increases that score. Negative engagement (hides, blocks, “not interested”, quick scrolls) decreases it.

The algorithm applies decaying scores to subsequent posts from the same account per feed request, meaning every extra post you make gets shown to fewer people. This should significantly reduce spam on the For You feed.

The algorithm also has specific logic designed to detect if a post has banger potential, and actively penalizes low-quality, generic, or AI-generated content.

You’ll now see more content from people you actually follow (in-network). Their posts get a higher score, so the algorithm is pushing more of what comes from your network.

The combination of reduced dwell time and lower click-through to X’s own content makes external links a well-established penalty.

NSFW, violence, gore, and toxicity will not help your content stand out. In fact, the algorithm actively penalizes this type of content.

Quality beats follower count. Small accounts can now achieve massive reach, as long as they create content that keeps people engaged for a long time.

Undisclosed ads will get almost zero reach.

Microniches are the big winners. If you stay consistent in a specific microniche and deliver high-value content, you can grow extremely fast. Avoid mixing too many different topics. Focus is heavily rewarded now.

Start making videos. X is now clearly becoming a video-first platform. Add captions/subtitles, because a huge portion of people watch videos on X with the sound off. Good captions will dramatically increase the time people spend watching and boost your reach.

Engagement velocity in the first 30-60 minutes is critical.

Below is Claude Code’s output.

Claude Code’s output

General Architecture — 8-step pipeline (Home Mixer)

Query Hydration → Candidate Sources → Candidate Hydration → Filtering

→ Scoring → Selection → Post-Selection Filtering → Feed Response

Scoring System — Phoenix model

Grok-based transformer that predicts the probability of 19 simultaneous actions. Final score = weighted sum:

Score = Σ (weight_i × P(action_i))

Positive actions (by weight order):

Negative actions:

Candidate Sources

Hydrators — factors that boost score

1. has_media = true — image or video present

2. VQV_WEIGHT — video longer than MIN_VIDEO_DURATION_MS and actually watched

3. engagement_counts — fav_count, reply_count, repost_count, quote_count

4. author_followers_count — accounts with more followers get more visibility

5. mutual_follow_jaccard — author followed by people you follow

6. language_code — feature passed to the model (no explicit filter)

Filters (pre and post scoring)

Final Selection

• TopKScoreSelector: sorts by score, selects top 25–50

• BlenderSelector: interleaves ads (minimum 5 organic posts between ads, default gap of 3)

Author Diversity Decay

Penalty for the same author appearing repeatedly in the feed:

multiplier = (1 - FLOOR) × DECAY^position + FLOOR

• DECAY ≈ 0.6–0.9 → the 2nd post from the same author is worth ~60% of the original score

• FLOOR ≈ 0.2–0.4 → never drops below this minimum

On language/location (from the specific search)

• language_code exists on both posts and users

• country_code and ip_location are also captured

• No explicit filter or penalty for language mismatch — it is a feature passed to the model

• The model learns language preferences implicitly from engagement history

• No references to any specific locale in the scoring code

Identified numeric values

Examples

Now that we have all this information, I asked Claude Code to create an HTML file with some examples of posts that could went viral based in the new algorithm. Below is the result.

Open questions (maximise replies)

Hot takes and strong opinions (generate debate)

Educational threads (maximise dwell time and follows)

Posts with media (activate has_media + VQV_WEIGHT)

"Send this to someone" (maximise SHARE_VIA_DM_WEIGHT)

Surprising data (maximise reposts and quotes)

Polls (generate clicks and direct engagement)

Conclusion

In this article I used Claude Code to analyze X’s new For You page algorithm.

And yes… I did have that moment of doubt: should I have used Grok instead, since the code is from xAI?

In the end, I figured using an external tool might actually make the analysis more impartial 😁

Anyway, don’t take everything in this post as absolute truth. It was analyzed with AI, and as we all know, AI can make mistakes.

I went through the Claude Code analysis and shared several examples that you can use as inspiration for your own posts.

You can also use Claude Code (or any other AI tool) to help you create posts that are more likely to perform well under the new algorithm.

That said, in my opinion, it’s crucial not to lose your authenticity. I personally prefer to stay authentic rather than purely chasing the algorithm - but that doesn’t mean we shouldn’t study it, learn from it, and adapt our content accordingly.

Now go post on X and good luck! I hope one of your posts goes viral 🔥

See you soon,
Nelson

Parece paranóia, mas acontece com frequência e mais facilmente do que possas pensar.

E o pior é que não dás conta. Não sabes que te estão a ver.

De que forma pode acontecer este ataque?

Pode acontecer quando descarregas ficheiros de sites que pensas serem de confiança, quando alguém se intromete entre ti e o site legítimo (um ataque conhecido como man-in-the-middle) e te entrega uma versão adulterada do ficheiro em vez da original, ao abrires um anexo que te é enviado num email, enquanto sacas torrents, quando inseres no teu computador aquela PEN que alguém te dá para te passar um ficheiro e que, na verdade, é malware.

Também se alguém conseguir explorar alguma vulnerabilidade que o teu dispositivo tenha, seja ao nível do sistema operativo ou das aplicações instaladas.

Pode ocorrer quando alguém mal intencionado tem acesso físico ao teu dispositivo, nem que seja apenas por alguns minutos.

Ou simplesmente aquela aplicação que, apesar de não precisar de acesso à câmara, pede essa permissão.

Quem perpetua o ataque?

As motivações podem ser várias: desde mera curiosidade, à vontade de te espiar, ou ao desejo de te apanhar desprevenido(a) para tirar screenshots ou gravar vídeos comprometedores, que mais tarde possam ser usados para te extorquir - exigindo compensações financeiras em troca da não partilha das imagens com pessoas tuas conhecidas ou na Internet.

Como nos podemos proteger?

Antes de irmos para a proteção que é o motivo deste artigo, há alguns cuidados básicos e essenciais que ajudam a dificultar estes acessos indevidos:

• Manteres o sistema operativo atualizado, instalando os updates assim que ficam disponíveis - normalmente as atualizações introduzem novas funcionalidades mas também corrigem vulnerabilidades;

• Manteres as aplicações atualizadas;

• Teres um antivírus ou, preferencialmente, EDR instalado e atualizado;

• Desligares ou reiniciares os teus dispositivos frequentemente;

• Não cederes o teu dispositivo a ninguém, mesmo que por pouco tempo, especialmente se a pessoa não te for próxima;

• Configurares bloqueio de ecrã - por exemplo, com impressão digital;

• Configurares o ecrã para bloquear passados x segundos - para que bloqueie rapidamente se o pousares e te ausentares, sendo assim necessária a impressão digital para o desbloquear se alguém lhe mexer sem o teu conhecimento.

Contudo, a proteção que não falha quando todas as outras falham, é o bloqueador físico de câmara. É dos controlos mais efetivos que conheço, não exige conhecimentos técnicos e é muito barato de adquirir.

Ao contrário dos mic lockers, ou bloqueadores de microfone, sobre os quais escrevi aqui e que têm um papel semelhante mas para bloquearem a escuta não autorizada, simulando que são um microfone e fazendo o dispositivo alterar automaticamente o canal de entrada para eles, mas que na verdade não têm microfone, sendo muito efetivos contra malware que fica à escuta (ou seja, do lado de lá ouve-se silêncio), mas que são contornáveis se o atacante se aperceber do bloqueador e tiver acesso a executar comandos no dispositivo, alterando o canal de entrada para o micro do dispositivo, no caso das câmaras isto não é tão útil, porque mesmo que altere para a câmara de trás, como os dispositivos passam grande parte do dia e da noite pousados, o ganho seria muito reduzido.

Os bloqueadores da câmara podem ser aplicados em computadores, tablets e smartphones. Alguns dos dispositivos mais recentes já os trazem embutidos. Quando este não é o caso, há quem cole post-its à frente da câmara, ou quem (como eu) compre uma peça própria que se cola por cima da câmara.

Sempre que se pretende utilizar a câmara, move-se a parte deslizante da peça para o lado, expondo a câmara. Quando se termina de fazer uma vídeochamada ou de tirar uma selfie, volta-se a deslizar para a posição em que a câmara fica tapada. Se a pessoa for mais descuidada e não tapar a câmara, ou se preferir desbloquear o dispositivo com a face em vez de com a impressão digital e, por isso, a mantenha destapada para não estar sempre a tapar e a destapar, então o controlo deixa de ser efetivo.

Por ser um controlo físico que se sobrepõe aos controlos digitais que possam existir no dispositivo, é muito efetivo, pois se esses controlos falharem ou forem comprometidos, a barreira física não vai deixar que os malfeitores atinjam o seu objetivo.

Para testar, basta utilizar a aplicação da câmara ou fazer uma vídeochamada com alguém, e deslizar o bloqueador para a frente da câmara. Se tudo o que visualizar for escuridão, está a funcionar bem.

E claro, não se esqueça de estender a proteção a familiares e amigos.

What he says is that chip manufacturers, such as Nvidia and others, are prioritizing the supply of chips to Artificial Intelligence Datacenters, at the expense of other supplies, such as computers, multifunction printers, and other devices.

According to him, it is expected that this situation will continue throughout 2026 and 2027, and that it will only normalize in 2028.

Which will, in every respect, be similar to what was experienced during the pandemic.

What happened during the pandemic?

During the Covid-19 pandemic, there were several delays. Some companies, due to a shortage of computers, had to provide computers with i3 processors to administrators - something that would normally be unthinkable, but had to be done, as the alternative was having no computers at all.

I recall that at ExpressGlass, it was during this phase that, for some time, we stopped purchasing from our usual suppliers and started getting computers from retail stores - basically anywhere we could find them - deviating from our usual and more professional models. This was how we resolved the situation. When stock was available, it was picked up immediately and the issue was resolved.

We felt the impact on computers, but the most concerning issue was with the toners for the Xerox multifunction printers.

Those were very worrying times because we still didn’t have electronic invoicing, so shipments from DiverAxial were required to go out with an invoice.

It was illegal for the carriers to make deliveries without the invoices, even if they had already been issued in the system. The carriers themselves wouldn’t even accept doing it. If they were stopped by the authorities and didn’t have the invoice, a fine would be imposed.

This put the entire operation and business of ExpressGlass at risk, since DiverAxial is its main supplier.

Therefore, at the time, it was necessary to source toners from various places. Coordinating all of this was not easy. We filed complaints and requested stock, but there simply wasn’t any. During this phase, the truth is that we faced significant risks.

Reality or speculation?

It is still being determined whether this will become a reality or if it is mere speculation. But the fact is that several delays are already occurring, particularly in the approval of prices and proposals.

The supplier even shared that they have already experienced a 70% increase, and since they have a supply contract, they are actually being heavily penalized.

Depending on the volume of incoming requests and their severity, chaos can quickly take over. From having no visibility into the number of requests hitting the incident response teams, to being unaware of the biggest problem hotspots, or even having technicians resolving non-urgent, low-impact issues while critical ones sit in the queue.

Follow these steps to make your day-to-day operations smoother.

Steps in Incident Management

There are three essential minimum steps for proper incident management.

Step 1: Log the Incident

The first step every technician must be instructed on is that an incident does not exist unless it is logged. For that, the ideal scenario is to have a ticketing platform that users are familiar with - everyone should receive training on it when it is implemented, and it should also be part of the onboarding training plan for new employees.

I won’t go into the topic of who should open the ticket, but in case you define it should be the user, be careful with agents who kindly open tickets on behalf of users - these cases are easy to notice in day-to-day operations, but the manager should regularly review the platform’s statistics to understand the scale of the problem. These “kind gestures” can undermine years of user education aimed at getting them to open tickets instead of approaching technicians directly.

If users have other communication channels to reach technicians and can initiate incident reporting that way, I still maintain that the incident must be logged - therefore someone has to create the ticket. In this case, it should be the technicians. The biggest challenge is getting technicians to create the ticket before starting the analysis and resolving the issue, so they don’t forget or get lazy to do it later.

In both scenarios, in less mature teams, it is common to see numerous issues solved without a ticket. This means that at the end of the day (or at the end of the month or year in accumulation), the statistics will not reflect the actual number of incidents that occurred, the real Mean Time to Resolve (MTTR), the number of incidents by category, nor the hours the team truly dedicated to this area.

Step 2: Categorize the Incident

Once logged, the incident must be categorized. Categorization helps assign the incident to the appropriate support team and also allows reporting to show which categories are becoming the most problematic.

Creating categories in a support tool is something that should be carefully considered and, like everything else, should evolve over time. What I mean by this is that it’s normal to have doubts about the structure you’re going to implement - whether it should have two levels (category and subcategory) or three (category, subcategory, and item), whether it should be specific enough to include modules within a particular application, or kept more generic.

There is no single “correct” way to implement categories. Each organization should think about what works best for them. However, based on my experience, the trend has been to simplify - meaning simplify both for users and for technicians. But only by analyzing the data can you properly assess whether this simplification limits management’s ability to understand where most problems are occurring, or where the most critical issues for the organization lie, and where time should be invested to address them.

Step 3: Prioritize the Incident

Once the incident is categorized, its priority must be defined among all the other unresolved tickets.

The priority of a ticket is determined by impact vs. urgency. This means there should be a scale for impact, another for urgency, and a matrix that clearly indicates the priority based on these two variables.

Personally, I like using the matrix provided by Freshservice (this is an affiliate link - if you sign up, I may earn a small commission at no additional cost to you):

On the X-axis we have urgency, and on the Y-axis we have impact. By classifying both, we obtain the priority that should be assigned to the ticket.

Of course, even after defining the priority, it may still match the priority of other incidents awaiting resolution. That’s where experience and business knowledge come into play.

Technicians with more years in the organization will intuitively know which tickets should take precedence - it will vary from case to case, but having alignment with leadership is ideal.

Less experienced technicians should rely on their colleagues or, ideally, their manager to understand which issues they should tackle first.

Conclusion

Incident Management only works when the fundamentals are in place: every incident must be logged, properly categorized, and prioritized based on impact and urgency. These practices may seem simple, but they form the backbone of an efficient and mature support organization.

By applying these three steps consistently, teams gain clearer visibility of their workload, reduce resolution times, improve communication with users, and build a reliable dataset to support better decision-making.

Improving Incident Management is a continuous journey - not a one-time project. Start with the basics, adapt the process to your organization, and refine it over time. Small improvements, applied consistently, lead to meaningful long-term results.

If you already follow these practices or have additional recommendations, feel free to share your experience in the comments.

Imagine being in the comfort of your home, having conversations with your partner, children, and other family members, while someone is remotely listening in through your devices.

It’s not a very pleasant situation, is it? I don’t think anyone would like that.

That’s why it’s important to take precautions to ensure that these types of situations don’t happen.

Typically, operating systems aim to protect their users from such attacks. However, the best protection always lies in combining software controls with hardware controls, meaning…

• Keeping the operating system and applications up to date;

• Regularly reviewing application permissions;

• Having an antivirus installed and kept up to date.

All of this helps protect against such threats, but it doesn’t guarantee that it won’t happen.

Therefore, the ideal solution is to use a microphone blocker, which will route the audio from your device to the blocker itself and receive audio back from it. In other words, your device will think a headset, for example, has been plugged in, so the device’s microphone is disabled, and the supposed microphone from the adapter is activated. However, this adapter does not have a built-in microphone, so it does not send any audio back to your device. This way, everything the other side hears, if someone is listening, is silence.

I recommend the microphone blockers from Mic-Lock. I personally use them on both my computer and smartphone, and they work very well.

You can test it by using a recording app to record an audio clip without the adapter and then with the adapter. When you listen to the recording later, you’ll notice that from the moment the adapter is inserted, no sound is recorded. The app continues recording, but there’s no audio input, which is exactly what we want.

United States of America

Since 2004, October has been recognized as Cybersecurity Awareness Month. This month was declared by the then President of the United States and Congress with the goal of having the public and private sectors work together to raise awareness about the importance of cybersecurity.

This initiative has gained importance over the years, with efforts between government and industry to reduce online risks and generate discussion about cyber threats on a national scale in the United States, as well as globally.

In 2023, the Cybersecurity & Infrastructure Security Agency (CISA) launched its awareness program called Secure Our World, which recognizes the importance of taking daily actions to reduce online risks and the risks of using connected devices. It also enables organizations to use this theme when preparing for Cybersecurity Awareness Month, that is, when preparing their own awareness campaigns.

Europe

On the European side, European Cybersecurity Month is the European Union (EU) campaign dedicated to promoting cybersecurity among European citizens and organizations, as well as providing updated information related to online security and sharing best practices.

Every year, throughout the entire month of October, hundreds of activities take place across Europe, including conferences, workshops, training sessions, webinars, presentations, and more, aimed at promoting digital security and cybersecurity hygiene.

This initiative is coordinated by the European Union Agency for Cybersecurity (ENISA) and the European Commission, and is supported by each Member State and hundreds of government partners, including universities, think tanks, Non-Governmental Organizations (NGOs), professional associations, and the private sector in Europe and beyond.

Since the first event in 2012, European Cybersecurity Month has been promoted under the slogan “Cybersecurity is a Shared Responsibility” and, in 2020, the motto “Think Before U Click!” was officially launched.

And the rest of the year?

Although October is considered Cybersecurity Awareness Month, we must not forget that cybersecurity is something we should be concerned about every other month. I would go further: daily, throughout the entire year.

These are government initiatives, both in the United States and Europe, aimed at creating a period, at least once a year, during which various initiatives are held to raise cybersecurity awareness. However, all individuals and businesses should be aware that it’s not just during this month that they should focus on and invest in cybersecurity, but throughout the entire year.

Attacks do not happen only in October, but throughout the entire year. Therefore, it is important that people progressively protect themselves more over the year and across the years, implementing more controls that ensure their networks, devices, and accounts are progressively more secure.

Companies, schools, and other organizations

This can be an opportunity for companies, schools, and other organizations to join this initiative and also use the month of October to promote cybersecurity. This doesn’t require a great effort, as much of the material already exists and there can simply be a sharing plan in place.

This doesn’t mean that throughout the rest of the year there isn’t a need to continue raising awareness on this topic, but the month of October can be used for greater dissemination by entities, taking advantage of all the support provided by governments and other organizations for online promotion. This also allows for sharing various best practices, information about attacks, and how to protect oneself.

How to learn more

Anyone interested in following this topic more closely and learning more can visit the following websites:

• Cybersecurity Awareness Month by CISA;

• Secure Our World;

• European Cybersecurity Month by ENISA;

• ECSM – European CyberSecurity Month.

In addition to these websites related to Cybersecurity Month, there is a vast array of other content you can follow, including forums, books, courses, newsletters like this one, among many others.

LinkedIn update to Terms and Data Use

Funny enough, just last weekend I was reviewing my LinkedIn settings (for no particular reason - I’ve been less active there lately and more on other platforms). To my surprise, I came across those options and immediately turned them off, wondering how I had missed this before. A few days later, I started seeing posts from others pointing out that LinkedIn was indeed updating its Terms and data use to reflect these changes.

👉 If you also want to opt out, go to:

Settings > Data Privacy > Data for Generic AI Improvement > Use my data for training content creation AI models (turn it off).

Referring to online accounts, imagine that somehow your credentials were compromised - that is, someone managed to discover them. If you don't have MFA enabled, the attacker will be able to access your account without any difficulty. However, with MFA active, after entering the username-password combination, the attacker will be confronted with a second authentication step using a different factor.

The goal is for only the user, the true account holder, to have access to the additional factor(s) required to access the system in question. This way, in a situation like this, the account will be protected, as it will be much harder for the attacker to bypass these other factors. However, bear in mind that harder does not mean impossible.

Authentication factors

There are three primary authentication factors. They are:

• Something you know, which can be a password, a passphrase, a PIN, the answer to security questions, etc.

• Something you have, which refers to physical devices in the user's possession that can help with authentication, such as a mobile phone, a smart card, a hardware token, a memory card, a USB drive, etc.

• Something you are, which refers to physical characteristics of a person, such as fingerprints, facial features, retina patterns, iris patterns, hand geometry, etc.

In addition to the three primary factors, attributes such as the following can be added:

• Where you are, based on a device, geographic location, a phone number, etc.

• Contextual authentication, where, for example, you can set working hours, not allowing access to the account outside of those hours. It can also include location and device type.

• Something you do, which can refer, for example, to gestures used on mobile devices to unlock them by connecting points (pattern), or image passwords, supported by Windows 10, where the user moves their fingers on the screen over an image.

Something you know

This factor is also known as knowledge-based authentication or type 1 authentication factor.

It means that the user provides something they know to authenticate themselves to a system.

In the case of passwords, they can be simple or complex, where:

• Incorrectly, people tend to use simple passwords, often related to personal information, because they are easier to remember. When this happens, passwords are easily guessed.

• When using complex passwords, people often end up writing them down somewhere, whether on post-it notes stuck to the monitor, in a notebook, or even in a text file on their computer’s desktop. In these cases, the password becomes visible to others, or even if it is not in plain sight, it can be found relatively easily.

The solution to these problems lies in Password Managers, which organize your credentials, store them securely, and, best of all, you only need to remember one password - the master password, which is used to log in to the Password Manager. This master password should be long (at least 14 characters) and, to make it easier, you can create a passphrase.

Passphrases are passwords based on phrases, making them easier to remember, and they address the complexity issue, especially when mixed with uppercase and lowercase letters, numbers, and special characters.

Regarding security questions, their security also increases if the user uses complex strings instead of the actual answer to the questions. The true answers are often so obvious to those who know the user even slightly (and with all the information shared on social media these days, this can be relatively easy), making them easy to compromise.

Something you have

This factor is also known as possession-based authentication or type 2 authentication factor.

Perhaps the most common method is One-Time Passwords (OTP), which, as the name suggests, are codes that can only be used once and expire if not used within a certain period of time. They can be generated via:

• Software (soft tokens), such as the popular Authenticator apps like Google Authenticator, Microsoft Authenticator, Cisco DUO, etc.

• Hardware (hard tokens), which are dedicated hardware devices, such as the RSA SecurID.

In addition to the type of device where they are generated, OTPs can be:

• Synchronous OTP, which is the most common and least complex. It can be time-based or counter-based. Time-based OTPs are generated every 30 or 60 seconds, while counter-based OTPs increment a number with each use.

• Asynchronous OTP, which, although less common and more complex, provides a more robust layer of security.

Smart cards, on the other hand, are so named because they contain an embedded integrated circuit that can perform calculations and generate unique authentication data for each transaction. They can be:

• Contact Smart Cards, where the chip on the card needs to make contact with the reader to receive power and allow the transaction to be completed.

• Contactless Smart Cards, where the reader sends signals that are strong enough to power the chips and communicate with them, allowing the card to perform the necessary calculations and respond to the reader.

Memory cards contain a type of memory that is embedded in a magnetic strip, usually on the back of the card, from which the same data is read during each transaction.

Something you are

Also known as biometric authentication or type 3 authentication factor.

It is divided into:

• Physiological characteristics, which can include fingerprints, hand geometry, facial features, eye characteristics (such as iris and retina), etc.

• Behavioral characteristics, which can include how a person writes, walks, speaks, presses the keys on a keyboard, etc.

Where you are

Location can be obtained based on the IP address or through geolocation.

This type of system can prevent access by users who are not in the location where they typically connect - where you are not. In fact, a basic rule is that a user should not be able to log in to their account outside of their workplace, or, if they wish to do so, they must request permission. Although this control can be easily bypassed using a VPN, it still serves as a protection that makes sense.

Single-Factor Authentication and Two-Factor Authentication

There is some confusion regarding what is considered the use of authentication factors.

For example, if a system uses more than one type of authentication, but all are from the same factor, it is not Multi-Factor Authentication, but rather Single-Factor Authentication. Examples where, despite using different types of authentication, Multi-Factor Authentication does not occur:

• The use of username/password and the answer to security questions - both mechanisms belong to the something you know factor.

• The use of a token generated by Google Authenticator and another generated by RSA SecurID - both mechanisms belong to the something you have factor.

• The use of a fingerprint reader and a retina reader - both mechanisms belong to the something you are factor.

The combination of two factors, such as something you know and something you have, can be called Two-Factor Authentication.

The difference between Two-Factor Authentication and Multi-Factor Authentication is that the former refers to the use of two factors, while the latter refers to the use of two or more factors.

It is important to note that using different types of authentication from the same factor typically does not add security, as the same type of attack can compromise them. In other words, using a password and a PIN does not guarantee that you are more secure than if you only used a password, as the same attacks that can be performed to discover the password can also discover the PIN. In contrast, when using different factors, such as a password and an OTP from a hard token, it would be necessary to both discover the password and physically steal the hard token in order to successfully access the account.

Weak and Strong Multi-Factor Authentication

Although Multi-Factor Authentication (MFA) is a recommended configuration, it does not guarantee by itself that your accounts are secure. For example, SMS-based Multi-Factor Authentication is considered weak due to an attack known as SIM Swap, in which criminals gain control of the victim's phone number, thus gaining access to the code sent to it, enabling them to log into the victim's accounts.

However, even when using strong authentication factors, there are some considerations to keep in mind:

• When using an Authenticator that sends notifications for the user to approve access, if the user is distracted or unaware of what they are doing, they may accidentally approve access for a third party without realizing what is actually happening.

• When using an Authenticator that sends notifications, generates codes, or asks for a code provided on the website, although these methods are considered secure, the user can be deceived if they access a fake website that closely resembles the real one. In such cases, the data the user enters - such as their username and password - will be sent to the real site, followed by the OTP, allowing the attacker to gain unauthorized access.

To address this, you could consider using passkeys or even security keys (physical security keys), as these devices must be physically connected to the device from which the login is being made, or brought near (via NFC), in order for access to be granted. This adds an additional layer of security by ensuring that the attacker cannot gain access without having the physical key or device.

Does the second authentication factor always have to be requested?

No, not always. For example, some services only ask for it the first time you use a particular device. After that, the device is authorized to access your account and is recognized as trusted, and by itself, functions as a factor. The second factor will only be requested when you access from a device that the service does not recognize.

There are also services that allow you to store the data for a certain period of time, not requesting the second authentication factor until that period expires.

What if I lose the MFA method?

You should always keep in mind alternatives to the MFA method you set up. For example, some services provide backup codes that can be used in case you lose access to the configured method. Make sure to note those codes down carefully. If you are using a security key as an authentication factor, like a Yubikey, it is a good practice to have a second security key in case you lose the first one. You might even consider storing the second key in a different physical location than the first.

A word about FIDO2

I can't finish this article without mentioning Fast IDentity Online 2 (FIDO2), although in a very brief way. FIDO2 is an open protocol for user authentication that uses passkeys, which are credentials created through public key cryptography, with a private key and a public key being created. The private key is securely stored on the user's device, and the public key is encrypted and sent to the service's server.

The key pair is used to authenticate the user directly on their device, whether it’s a computer, tablet, mobile phone, or security key. Whenever the user logs in, the service presents a unique challenge to the client. The device is activated via touch, fingerprint or face recognition, or PIN entry, allowing the request to be signed and returned. This makes the process cryptographically protected against phishing.

Since a different key pair is generated for each web application or website, they also have the advantage of enhancing user privacy by making it harder to link activity across services.

FIDO2 also implements the concept of Passwordless, which means that no passwords are used to log in. This makes access not only more convenient but also more secure, as the vulnerabilities associated with passwords are well known.

The first version, which introduced phishing-resistant Multifactor Authentication, was released in 2014, and the second, released in 2018, defined the standard for passwordless authentication.

Conclusion

In conclusion, despite all the information in this article, the main takeaway is the importance of enabling Multifactor Authentication on all your accounts that support it - this is usually something that can be done in your account settings.

Not all services use strong MFA, but even so, having MFA enabled - even if weak - is better than having none.

Conduct an audit of your accounts now to enable MFA on those where it’s not yet activated. It’s true that it will take some time, but in the end, you’ll feel more at ease about the security of your accounts and the information they contain.

Thinking that it only happens to others is not a good security strategy. It’s also important to keep in mind that there are various ways credentials can be compromised, whether through attacks targeting the user directly or the service where their credentials are stored. And we don’t always know how these services handle our data - in other words, there have been numerous leaks showing that some services still don’t follow best practices for storing their users’ credentials!

I don’t know if this is the case for everyone, but I type faster on a physical keyboard than on a virtual one like those on mobile devices. So, for longer texts or extended conversations, using a physical keyboard can be quite useful.

The same goes for the mouse, which can be used in various applications, including games.

For this to be possible, you may need a USB-A to USB-C adapter.

To further improve the experience, you can place the device on a dedicated stand in front of you, either horizontally or vertically, so the screen faces you without having to hold it in your hand or lay it flat on the table.

In addition to mobile devices, they can also be connected to your TV box. This makes its use much easier, since, for example, searching on YouTube with the box’s remote is… time-consuming!

Did you already know about this? Have you ever connected a keyboard and/or mouse to mobile devices or TV boxes? What was the purpose? Share your experience in the comments.

See you soon,

Nelson Lopes

On this day, Microsoft rolls out critical patches (including zero-days), security updates, cumulative updates, bug fixes, and performance/stability improvements.

In enterprise environments, don’t forget to manage updates carefully: test them on staging machines first, and only then roll them out to the rest of the organization. In fact, I recommend using a three-ring approach:

• Ring 0 – First machines and users to receive updates;

• Ring 1 – Key machines/users representing different departments;

• Ring 2 – The rest of the organization.

This can be managed using solutions like Intune, WSUS, SCCM, or other remote management platforms (RMMs).

That said, patches that fix zero-days - vulnerabilities for which no official fix existed and that may already be exploited - should be applied as early as possible, regardless of which ring the device belongs to.

Also, keep in mind: if the second Tuesday of the month is a public holiday, it’s likely that many computers were off and didn’t receive the update - meaning the real slowdown will happen on Wednesday. Just saying… it has happened before. :)

Talk soon,

Nelson

Nowadays, we increasingly have less need to carry a physical wallet. For example, in Portugal, the gov.id app (iOS, Android) already allows users to legally present their citizen card, driver’s license, vehicle registration certificate, car insurance, among other documents, meaning there’s no longer a need to carry them physically.

NFC technology, used in banking apps, has long allowed for contactless payments without physical cards. For instance, also in Portugal, the MBWay app enables payments not only via NFC but also through QR code scanning, which greatly simplifies the payment process and reduces - or even eliminates - the need to carry physical bank cards.

Still, most people continue to carry their physical ID and bank cards - either because they’re not comfortable with the technology (they don’t know how it works or are afraid of making mistakes), don’t trust it yet, haven’t taken the time to test it, or simply don’t want to. A friend of mine once said he didn’t use MBWay because it drains his smartphone battery 😮

That said, it’s important to be aware that contactless cards don’t need to be inserted into a payment terminal to complete a transaction - just bringing them close is enough. This also means that a malicious person could approach your pocket or wallet with a payment device in a crowded street or public place and charge you without your consent.

PIN entry is only required for payments above a certain amount, so any charge below that limit will go through without issue.

The same risk exists if you keep NFC enabled on your smartphone and your banking apps are configured for payments. You should always disable NFC when you’re not using it.

Additionally, it’s important to know that access cards to private buildings can be cloned very easily using tools that are freely available online - like the Flipper Zero. Once a card is scanned, its data can be stored on the Flipper Zero and:

• Replayed by holding the Flipper Zero close to an access reader, unlocking a door, safe, garage, etc. that was originally restricted to the access card;

• Or cloned onto a blank smart card, creating a duplicate of the original (which is much less suspicious than carrying around a Flipper Zero).

Because of this, I strongly recommend using RFID-blocking wallets so that all cards inside are secure from these types of attacks. These wallets are available both online and in physical stores.

Don’t forget to test your wallet to make sure the RFID-blocking actually works. To do this, try making a payment while your bank card is inside the wallet. If all goes well, nothing will happen - you’ll need to remove the card in order to complete the transaction.

If you don’t have one of these wallets yet, don’t wait. Get yours today!

Thanks, and see you soon,
Nelson

Welcome to my Substack.

In this first post, I’d like to welcome you and share a bit about what you can expect to find here.

As a computer enthusiast and Director of Information Systems, my daily work revolves around technology. Beyond managing teams and departments, I’m involved in various areas such as networks, cloud, systems administration, software engineering, ERP, RPA, VoIP, cybersecurity, and more.

Outside of work, I enjoy spending time with my family, reading, running, going to the beach, and - of course - exploring technology for personal curiosity.

I hold several certifications, including CISSP, ITIL, PMP, and C|EH. I’m also a member of the Portuguese Order of Engineers, PMI, PMI Portugal, among others.

I live in Porto, Portugal, and I’m the proud father of a little girl - and of Biscoito (Cookie), our family cat.

On this Substack, I’ll be sharing some of my experience, with a special focus on tech updates, cybersecurity, service management (ITSM), project management, productivity, and related topics.

If you want to know more about me, you can visit this page.

Thanks for reading,
Nelson